[00:01.070 --> 00:04.870]  Hey, everyone. Welcome to my talk, Pandemic in Plain Text.
[00:04.870 --> 00:08.570]  My name is Troy, aka waveguide on Twitter.
[00:08.870 --> 00:14.410]  I'm an RF engineer in the aerospace industry. I was formerly a security engineer in the access,
[00:14.410 --> 00:18.630]  control, and lock industry for a number of years. I also host the channel over at
[00:18.630 --> 00:22.990]  hackerwarehouse.tv. And I just wanted to give a special thanks to IoT Village
[00:22.990 --> 00:28.690]  and to DEF CON Safe Mode for hosting this talk, and to my friend Voxel for this really cool setup
[00:28.690 --> 00:33.050]  and background. So let's get started, Pandemic in Plain Text.
[00:33.890 --> 00:39.210]  All right. The purpose of this talk, and I want to be really clear, is to stop the use of insecure
[00:39.210 --> 00:44.310]  communications at hospitals by shining light on the use of insecure wireless communications that
[00:44.310 --> 00:49.710]  are accidentally leaking your health data and violating your privacy laws. I'm not here to
[00:49.710 --> 00:55.810]  bash hospitals. I'm not here to bash the medical industry. I just want to bring to light that there
[00:55.810 --> 01:01.050]  is this leak happening, and it's been happening for 20 years. And right now, in the middle of this
[01:01.050 --> 01:06.390]  pandemic, I think it's really important that we pay attention to this and that we fix this problem.
[01:06.990 --> 01:11.490]  And just to note that none of your health care providers are really doing this intentionally.
[01:11.910 --> 01:16.090]  This appears to be accidentally that they're leaking your information, and they just don't
[01:16.090 --> 01:20.850]  know it. And if you don't want to watch the rest of this talk, the TLDR is, hey, your COVID test
[01:20.850 --> 01:26.810]  results are being literally broadcast from mountains. Yeah, so the story behind this is,
[01:26.810 --> 01:32.110]  if you go back to November or December, a lot of us were looking at Twitter and watching this
[01:32.110 --> 01:38.070]  pandemic come across China. And we were really asking ourselves these questions, like, is this
[01:38.070 --> 01:44.890]  real? Is this going to come over here? Then it kind of came across the ocean, and we got to ask these
[01:44.890 --> 01:50.010]  questions about, you know, do we have enough beds, and PPE, and any cries for help, and are there
[01:50.010 --> 01:55.810]  shortages? And I just started having all these questions, and I really was looking for data on
[01:55.810 --> 02:03.110]  this stuff. And like most of the people, it's kind of hard to sift through all the incoming data that
[02:03.110 --> 02:08.410]  we get through the news. And I just really wanted the hard data. And, you know, I wanted to know,
[02:08.410 --> 02:15.970]  is it affecting my community? And if I could see the data, then I would be able to answer
[02:15.970 --> 02:22.650]  these questions. And I remembered that I think I knew an answer to these questions using RF and
[02:22.650 --> 02:28.910]  wireless. And that was through something called PogSag, which is pagers. I remember a couple of
[02:28.910 --> 02:35.110]  years ago, we did a talk on HackerWarehouseTV. Not really a talk, but we did a show about how to
[02:36.050 --> 02:41.230]  decode pager messages that are freely being broadcast in the air. And when we did that,
[02:41.230 --> 02:46.750]  we saw a lot of things that were medical-related. And I thought, well, maybe it's a good time to
[02:46.750 --> 02:53.170]  revisit that and see what we can find and see if any of these questions could be answered with data
[02:53.830 --> 03:01.840]  over the PogSag network. All right. Well, just a little legal disclaimer for this talk.
[03:01.980 --> 03:08.300]  I'm not a lawyer, but I think the following is true. Possessing a software-defined radio. Yeah,
[03:08.300 --> 03:15.260]  that's totally legal. Ham radio operators do that across the globe. Receiving 900 MHz signals on
[03:15.260 --> 03:21.760]  those SDRs. Yeah, of course that's legal. Listening to audio on those signals, just like voice or
[03:21.760 --> 03:28.220]  tones. Yep, nothing special there. Decoding the audio of those signals. Well, that depends. Are
[03:28.220 --> 03:33.500]  they encrypted? In this particular case for this talk, no. Not even a little bit. This is all plain
[03:33.500 --> 03:40.440]  text tones and we're just decoding them. That is legal. Decrypting secure messages or anything
[03:40.440 --> 03:46.900]  that's encrypted. That is not legal. And in this particular case, nothing was decrypted.
[03:47.640 --> 03:54.140]  Distributing or sharing patient information. Obviously, that is not legal. Don't distribute
[03:54.140 --> 03:59.000]  any personal information or any sensitive information that you may receive over these
[03:59.000 --> 04:06.580]  plain text broadcasts. But for the hospitals that are broadcasting the patient information
[04:06.580 --> 04:11.840]  from a mountaintop antenna, apparently that's perfectly legal. I don't know. Maybe that's
[04:11.840 --> 04:18.320]  just a HIPAA violation. Again, I'm not a lawyer. But let's continue. Alright, is this a new
[04:18.320 --> 04:23.560]  vulnerability? The answer, unfortunately, is no. I'm not, unfortunately, dropping zero days here.
[04:23.560 --> 04:28.960]  This has been around for quite some time. I think it was DEFCON 5 this was brought up.
[04:28.980 --> 04:35.260]  Back in 2016, there was also the Holy Pager artwork, I believe it was in Chicago, where it
[04:35.260 --> 04:41.700]  would intercept all POGSAG pager messages and it would form them randomly to one of three
[04:41.700 --> 04:46.720]  pagers on display. And then it would print out a continuous roll of receipt paper,
[04:46.720 --> 04:52.340]  making a big pile of personal information that they automatically redacted. So that was pretty
[04:52.340 --> 04:57.940]  cool. Then back in 2018, this was brought up again. It was kind of localized to five or six
[04:57.940 --> 05:06.340]  hospitals. Did some digging into that case and it seemed that the response was that intercepting or
[05:06.340 --> 05:12.280]  decoding these tones was a sophisticated attack. And I think you'll see at the end of this talk
[05:12.280 --> 05:19.260]  that that is not the case at all. Alright, where to begin? In order to do this, you have to get
[05:19.260 --> 05:26.080]  some gear. And back in 1997, I would have agreed that it's a sophisticated attack, but not today.
[05:26.180 --> 05:31.500]  Back then, you'd have to get a scanner. You'd have to modify it with something from Loft Heavy
[05:31.500 --> 05:37.260]  Industries, like this POGSAG decoder from back in the day. I think that thing was $60. Then you
[05:37.260 --> 05:41.860]  would go over to this Doctor Who's radio phone site, which I used to frequent quite often when I
[05:41.860 --> 05:49.920]  was a teenager. And then you would have to stuff all that back into the scanner. And then you could
[05:49.920 --> 05:58.380]  decode these tones. And so yes, back in 1997, that was a sophisticated attack. However, in 2020,
[05:58.780 --> 06:03.900]  you just have to buy a $20 SDR. And you can get those from Hacker Warehouse, you can get them
[06:03.900 --> 06:11.520]  off Amazon, off eBay. It's really just too easy now. You really just plug in the SDR, download
[06:11.520 --> 06:17.980]  software, and then you tune to the signal. It's almost as easy as getting in your car and tuning
[06:17.980 --> 06:25.160]  in a frequency on your radio. You pick one of these frequencies here. These have been around
[06:25.160 --> 06:31.680]  for 20 years. The pager networks really haven't changed. And you tune into them, and you're going
[06:31.680 --> 06:41.500]  to hear some tones. Now the frequency used for this talk was 929.596. I localized the signal.
[06:41.500 --> 06:47.140]  It's coming from Santiago Peak, the antenna farm up there. And it has a lot of coverage. I was
[06:47.140 --> 06:55.900]  picking up hospitals from about a 70 mile radius. So a lot of stuff from Riverside, Pomona, down
[06:55.900 --> 07:03.640]  San Diego area, Irvine, not so much from LA County. But everything you see there in the circle
[07:03.640 --> 07:09.660]  was definitely within range of this tower. And the way the towers work is they relay off of
[07:09.660 --> 07:15.120]  one another. So a lot of times if you're not close to this tower, you'll be close to another tower.
[07:15.240 --> 07:20.720]  And you can find a signal that way. These signals are very strong. They're probably when you
[07:20.720 --> 07:26.560]  plug in the software, and you tune to a station, they are the strongest stations around.
[07:26.620 --> 07:32.460]  Okay, so as far as the signal goes, it sounds a little something like this.
[07:36.340 --> 07:43.220]  Now this is provided by M.A.Z.U.R. They said they got it from Matt Damon. That's true.
[07:43.220 --> 07:50.040]  But it sounds like kind of like an old modem tone, right? So that's what you're listening for.
[07:50.040 --> 07:55.260]  So when you tune to that 929 frequency, you're going to hear a whole lot of that.
[07:55.800 --> 08:03.100]  Okay, so the audio tone you just heard basically is a little more advanced than like a DTMF tones
[08:03.100 --> 08:10.600]  on a keypad. So like whenever you press one on your telephone, you get a combination of this 1209
[08:10.600 --> 08:19.200]  hertz and this 697 hertz. And that's how the system knows that's a one. Similarly, frequency
[08:19.200 --> 08:25.200]  shift keying, whenever you lock onto that 929 megahertz signal, those audio shifts you hear
[08:25.200 --> 08:31.300]  are creating ones and zeros in the bit stream. And that's kind of in a nutshell how FSK works.
[08:31.760 --> 08:38.600]  Remember, I'm watering this down for kind of all audiences. But the point is, the tones will
[08:38.600 --> 08:46.640]  create frequency shift keying, which then creates data. And a Windows program like PDW will decode
[08:46.640 --> 08:53.120]  that data. And it'll just put it across your screen like this. And so this is actually what
[08:53.120 --> 08:59.900]  you just heard decoded. It's the standard DEF CON, drink all the booze, hack all the things
[08:59.900 --> 09:08.480]  mantra. So that's how this works. It's really not encrypted. It's all plain text. It's just a
[09:08.480 --> 09:13.960]  little bit more advanced than DTMF tones on a telephone. And you'll tune into the tones and
[09:13.960 --> 09:20.100]  get the data on your screen. It's really that simple. So now that you know how it works and
[09:20.100 --> 09:26.440]  how to decode a dual core song, let's shift back to kind of the hospital research. So I did a little
[09:26.440 --> 09:32.600]  digging here. There was this research about use of technology for patient care related communications.
[09:32.780 --> 09:39.780]  The gist of that paper was that 80% of hospitals still use pagers. And in that paper, they actually
[09:39.780 --> 09:45.240]  believe that pagers are more secure than cell phones. And you can check out this link and read
[09:45.240 --> 09:51.240]  more about that. But the quote that stood out to me was this one. They send only numeric messages
[09:51.240 --> 09:57.960]  or basic text messages, says Dr. So-and-so. This way, no confidential information can get in the
[09:57.960 --> 10:02.920]  wrong hands. That's could happen with the cell phone. And I think that is the heart of this
[10:02.920 --> 10:10.920]  problem. Pagers are actually thought of as a very good tool and a secure tool to use in hospitals
[10:11.760 --> 10:21.440]  when, in fact, they're not. So if we kind of know that, then it kind of makes sense why
[10:22.220 --> 10:29.700]  all of HIPAA compliance is being put into the network and securing the network within the
[10:29.700 --> 10:35.760]  hospital. And the pager usage is not really thought of as an open door. It's thought of
[10:35.760 --> 10:42.380]  more secure than that network. And what I found was that the pager usage actually isn't. So
[10:42.380 --> 10:48.100]  if we go back to that quote of they send only numeric messages, basic text messages,
[10:48.100 --> 10:55.480]  and no confidential information can get in the wrong hands, it's actually quite different. So
[10:56.300 --> 11:05.920]  here we go. This is a basic pager message from a hospital. It's leaking your personal information,
[11:05.920 --> 11:13.040]  and it even includes COVID results. This is one dissected, so I'll walk through this.
[11:13.040 --> 11:18.980]  You have the pager number, followed by the message time it was sent, the message date,
[11:19.490 --> 11:27.480]  which is a type of POGSAC-related protocol, alpha, which kind of defines the type of flex.
[11:27.480 --> 11:32.540]  There's different types. It includes this automated system name, which I'll touch on in a
[11:32.540 --> 11:40.620]  bit. It has the hospital name. It then goes into requested, which this is a bed request,
[11:41.180 --> 11:49.500]  last name, first name, age, gender, isolation protocol. That kind of tells the PPE. There's
[11:49.500 --> 11:54.860]  droplet, which is like a face mask. Sometimes it says full PPE. Sometimes it says face,
[11:55.500 --> 12:00.500]  different things there. The origin unit. Sometimes it says doctor's name. Sometimes
[12:00.500 --> 12:06.500]  it says a unit. In this case, it was the emergency department or usually that's emergency something.
[12:06.500 --> 12:13.280]  Sometimes it's a full doctor's name. And then in the comments right there, it says COVID positive
[12:13.280 --> 12:21.620]  or COVID negative. So that is a basic pager message that is not supposed to have any of
[12:21.620 --> 12:27.060]  your personal information in it. Because of COVID, they have gotten quite bloated
[12:27.060 --> 12:33.720]  with personal information. It didn't used to be this big. And that is the point of this discussion
[12:33.720 --> 12:40.040]  is this is what a simple text message looks like now. And it has too much personal information in
[12:40.040 --> 12:48.540]  it. And it has a lot of privacy violations in it as well. So once I saw that, I mean, what did I do?
[12:49.620 --> 12:56.740]  I decided just to let that decoder run. So I ran it for 52 days, mid-March through August 1st,
[12:56.740 --> 13:02.320]  2020. Looking at COVID-related results, they would come across the screen.
[13:02.320 --> 13:08.440]  It resulted in 52 files, only 28 megabytes worth of data.
[13:11.060 --> 13:15.340]  And remember what I was looking for in the beginning? I was trying to figure out, hey,
[13:15.340 --> 13:20.260]  is this pandemic real? I didn't know anybody that had it. I didn't know if it was in our hospitals.
[13:20.260 --> 13:26.240]  So I really just wanted to trust the data and see for myself. I was really concerned about this
[13:26.240 --> 13:30.820]  whole, do we have enough beds, PPE and shortages? I wondered if there was data that would support
[13:30.820 --> 13:35.920]  that or give me a number. I wanted to know if it's affecting my community. And I wanted to know,
[13:36.520 --> 13:43.960]  is anybody out there doing this right and sending these messages securely? And so I got answers to
[13:43.960 --> 13:49.280]  all of these really. This is what a basic pager text message looks like. And here's some of the
[13:49.280 --> 13:54.660]  information we got. So hospital bed requests, they include COVID results. You can see over here,
[13:54.660 --> 13:59.520]  COVID positive, COVID positive. It came from a couple of different systems. This one came from
[13:59.520 --> 14:07.980]  an XT system. This one over here is this RTM system at now. So you can see here, I've redacted
[14:08.740 --> 14:14.400]  all the information. So I'm not distributing personal information here. This is a generic
[14:14.400 --> 14:21.360]  Patricia. She's an 84-year-old female. She has COVID positive. And this one is a 45-year-old
[14:21.360 --> 14:28.680]  male, Lazaro. He has been diagnosed with COVID-19. Additional comments they even put in here.
[14:28.720 --> 14:34.680]  This is what COVID is known as, is acute hypoxic respiratory failure. You see this pretty readily
[14:34.680 --> 14:40.480]  come across the stream. You see EMS fire runs, which give you a little more data on
[14:41.460 --> 14:47.740]  things that are happening then and now. Outside the hospital, this particular instance,
[14:47.740 --> 14:53.580]  someone was brought in because they smoked weed and drank some shots, but they asked them about
[14:53.580 --> 14:57.480]  COVID and they were negative on the COVID questions. So that comes across the stream.
[14:57.480 --> 15:02.900]  You get a lot of nurse to doctor communications going on over the pages. You got ICU admissions.
[15:03.320 --> 15:08.740]  You can find out details there. They're broadcasting this person was intubated on three
[15:08.740 --> 15:14.820]  pressers. They even questions on, they want to discuss options with hydroxychloroquine and
[15:14.820 --> 15:22.360]  ribavirin. And they have phone numbers there. There's a lot of questions going back and forth.
[15:22.760 --> 15:27.580]  And you also see these nurse to doctor communications regarding ventilator data.
[15:27.620 --> 15:32.780]  So basically everything they talk about on the news is being broadcast through these
[15:32.780 --> 15:38.220]  pager messages in plain text. There's a lot of this coming across the stream. Over 52 days,
[15:38.220 --> 15:43.840]  there were 17,286 tones decoded that turned into these types of text messages.
[15:44.820 --> 15:51.980]  Of those, 1,852 were bed requests with that HIPAA information included that should not have been
[15:51.980 --> 15:59.940]  there. There were 2,077 diagnoses. Of those diagnoses, 1,219 were COVID related. That
[15:59.940 --> 16:06.260]  includes negatives and positives or even questions, COVID questions. I just put these on here for
[16:06.260 --> 16:12.420]  comparison. There were only 78 fracture related, surprisingly only 67 cancer related and 300 chest
[16:12.420 --> 16:19.560]  pain. So you see an uptick in chest pains with COVID. And so that was one of the filters also
[16:19.560 --> 16:28.300]  in the data. Average age of patients with the virus was about 72 within that tower. But like
[16:28.300 --> 16:34.260]  I said, there's towers across the United States everywhere that are broadcasting this. So it'll
[16:34.260 --> 16:39.960]  vary from place to place. Also, I did get an answer to that final question. Is anyone doing
[16:39.960 --> 16:47.060]  it secure? And I found that a few, I think it was 11% of the messages actually were sent securely.
[16:47.860 --> 16:50.760]  Obviously, there's a lot of attack vectors with this kind of information.
[16:51.020 --> 16:55.720]  From embarrassment, identity theft, to billing scams, disrupting supply chains,
[16:55.720 --> 16:59.980]  misrouting patients. That would be if you were spoofing communications. We are not doing that
[16:59.980 --> 17:05.060]  here. We're just receiving these things out of the thin air. But there's a lot of like drug
[17:05.060 --> 17:10.080]  interaction text messages where it says, hey, should they take this? Text me yes or no. And
[17:10.080 --> 17:15.260]  that seems dangerous, especially over unencrypted communications, which leads just to life safety
[17:15.260 --> 17:19.880]  in general. And that's why this practice of using pages in hospitals just really needs to stop.
[17:20.220 --> 17:26.380]  So how does this happen? It appears that no one's doing this intentionally. It's part of a system.
[17:26.840 --> 17:32.900]  That XT system is, there's a lot of these different patient management systems that
[17:32.900 --> 17:39.380]  hospitals use. This one looked like it came from TeleTracking XT, which they talk about IVRs,
[17:39.380 --> 17:47.000]  which are systems that help hospitals manage patients. And even in here, in the TeleTracking
[17:47.000 --> 17:51.380]  website, they talk about, you know, details are sent to the employee's pager. Keep in mind,
[17:51.380 --> 17:54.900]  that's not their fault. This is just their software. You can implement these pager
[17:56.560 --> 18:03.460]  communication systems properly with encryption, like we saw back here. See, this one was secure.
[18:03.680 --> 18:08.580]  But it's really up to the hospital and their service providers. It may not even be the
[18:08.580 --> 18:13.600]  hospital's fault. They may contract it out to a telecommunication service provider,
[18:13.600 --> 18:17.680]  and they're just using the wrong type of pager network rather than the secure one.
[18:17.980 --> 18:23.480]  So also found, though, that these systems are tracking this exact same data, and they're
[18:23.480 --> 18:30.680]  providing it back to the hospital kind of on an enterprise level. So that the heart of the data
[18:30.680 --> 18:36.920]  is the pager data, and then you can create these dashboards. And so they're actually doing what I
[18:36.920 --> 18:41.240]  was trying to do, but they're doing it within the hospital. And you can see it's very valuable
[18:41.240 --> 18:47.360]  information for the hospitals, but it just needs to stay within the hospital, right?
[18:48.120 --> 18:53.440]  So what answers did I get? Yes, this is real. It's happening. I saw EMS run confirmations,
[18:53.440 --> 19:00.300]  symptoms match. We can see most bed requests seem like bed levels were okay. Didn't see a lot of
[19:00.300 --> 19:06.560]  messages where people were worried about that, but that was just my area. I'm sure that's a
[19:06.560 --> 19:11.680]  problem other places. I was able to see in my community that the older population was more
[19:11.680 --> 19:15.760]  affected. And I also was able to answer the question of, is there a lot of security here?
[19:15.760 --> 19:21.320]  And it was not. Only 11% of the messages were actually secured and encrypted, and in no way did
[19:21.320 --> 19:26.080]  I try to decrypt them at all. That would have just been too hard when you have thousands of
[19:26.080 --> 19:30.840]  thousands of them that are not encrypted. So where do we go from here? Healthcare providers need to
[19:30.840 --> 19:36.260]  do this stuff. And I've been in the industry, so these are the questions that some of these
[19:36.260 --> 19:42.160]  roles need to ask. I won't go through all these, but CIO, you need to allocate budget. IT needs to
[19:42.160 --> 19:48.440]  ask some questions. Auditors, start auditing these pager networks, please. Lawyers, start asking
[19:48.440 --> 19:52.980]  questions. Reporters, spread this information in this talk, so we can have these conversations
[19:52.980 --> 19:58.700]  about healthcare system. And patients, you can ask your providers about their pager system security,
[19:58.700 --> 20:05.180]  if you see your doctor wearing one. Hospitals just need to listen to the security community.
[20:05.180 --> 20:09.920]  Please don't say this is a sophisticated attack, because it's not at all. It's super easy.
[20:10.020 --> 20:15.040]  We just need to upgrade the security in these systems. And for the healthcare providers,
[20:15.040 --> 20:20.980]  they just need to keep up the good fight. Let IT deal with this, and keep doing what you're doing,
[20:20.980 --> 20:26.200]  because we're all thankful for everything that you do. All right. Thank you. I think my time is
[20:26.200 --> 20:30.040]  up. Thanks again, everybody, for listening. If you want to hit me up on Twitter, you can reach
[20:30.040 --> 20:37.500]  me at waveguide. That's at W-A-V-E-G-U-Y-D. Or on the Discord link right here. I'll be doing Q&A
[20:37.500 --> 20:42.040]  right now. So talk to you soon, and hopefully see you next year. Thanks.
